Remote Desktop Services, VPN and secure connection(s)

Posted on 2011-04-28
Last Modified: 2012-08-14
We are testing windows 2008 remote app services. We have 2 needs.  First, remote offices need access to a SQL application that can only run on the HQ lan so we are planning on utilizing remote app.  Second, remote offices also need access to network files to be able to open on their local machine.  

We started testing with using the same box for VPN and RDS.  The idea is that the users connect via VPN so that they can access network files locally by mapping the network share. Then to access the HQ application they use remote app.  The W8K box sits behind the firewall with VPN ports forwarded. So far we have it set up so the the remote app only is accessible when a VPN connection exists. Because we don't have two form factor authentication VPN port access on the firewall is locked down to users IP addresses.  This controls what locations can use VPN and since the remote app only connects using a LAN machine name this control access to the application. Does this sound like the best method to address both issues?

I have read that using the TS Gateway that RDP sessions can be secured communications channel because traffic is encrypted over HTTPS (443).  If I block 3389 on the firewall then the users cannot connect.  Is this only a feature that works in conjunction with TSWEB?  When a user connects using RDP (either through the VPN or without VPN) I see no 443 traffic.  It would be nice to be able to create RDP sessions for remote apps without having to crate a VPN connection.  How can a be assured the traffic is being encrypted?  I have used TCPView and Etherreal to view the traffic and I don't see 443 traffic using the RDP to connect directly to the TS server.  

Can a user access a network files over RDP and open the file using their local application or will we need VPN for that?
Question by:PlazaProp
    LVL 25

    Expert Comment


    If you re-direct local drives, you can open local files with the Remote App.

    You can force additional protection of the RDP session by enabling TLS, NLA and FIPS encryption - this would then be encapsulated to the TS Gateway - comms between the TS Gateway and the RD Server are over 3389.

    I believe that the TS GAteway settings need to be configred before the remote app installer is generated - make sure that the TS Gateway is specified and that bypass isn;t enabled.


    LVL 10

    Expert Comment

    I wouldn't expose companies internal application or files to Internet even through HTTPS . I think VPN is the security that you need.  As for TS web , I think it works along with usual RDP ; it just makes it easier for people to click on an application but still it launches RDP to connect , so that it will need VPN to access local resources.

    see this one :

    and this one :
    LVL 1

    Author Comment

    RobMobility,  As for accessing the files it is the other way around from what you have descirbed.  We need to re-direct remote (HQ) drives so that users can use local apps. Ex.  Opening a spreadsheet that is on the HQ network.

    Can I use the TS Gateway to be able to connect to another workstation via RDP without having to RDP to the TS first (without using TS Web or VPN)?  I thought I read that I could do this via TS Gateway.  

    Example: remote office --->> internet --->> HQ firewall --->> workstation
    LVL 1

    Author Comment

    Ok, asked too soon. I found where to put the TS Gateway settings in RDC (see below).  Now, Can I specify a different port number other then 3389 for the TS Gateway?

    1.   Open the Remote Desktop Connection client. To open the Remote Desktop Connection client, click Start, point to All Programs, point to Accessories, and then click Remote Desktop Connection.

    2.   In the Remote Desktop Connection dialog box, click Options to expand the dialog box and view settings.

    3.   On the Advanced tab, in the Connect from anywhere area, click Settings.

    4.   In the Gateway Server Settings dialog box, select the appropriate options:

    ·        Use these TS Gateway server settings. You select this option and specify the name of the TS Gateway server that you want to connect to and the logon method to use for the connection. Note that when you specify a name for the TS Gateway server, you must use a fully qualified domain name (FQDN). as "" but without the https://www. prefix infront..

    ·      Bypass TS Gateway server for local addresses. This option is selected by default.  Please uncheck this checkbox.

    5.   Click OK.
    LVL 1

    Author Comment


    In the past we have avoided mapping the client drive over RDP for security reasons.  Plus transferring a file via RDP is slow.  I haven't bench marked file transfer  RDP vs. VPN yet.
    LVL 5

    Accepted Solution

    Hi PlazaProp.

    I think you are worrying way to much about security you don't get any more secure than a connection over port 443.

    If I were you I would setup the TS Gateway and you just need to forward port 443 from your firewall to it, you no longer need port 3389 open to the internet.

    The TS Gateway acts as a RDP Proxy as such and all transfers from the client are encrypted over the internet, it then forwards traffic to the RD Session Host using port 3389.

    You have already found where to configure the Gateway Details in the Remote Desktop Client which is exactly what you need to do. Then you can simply enter any Internal Computer name on the General  Tab and it will connect to the internal computer.

    As for accessing the local drives of the server over the internet I'm afraid the only secure way is with a VPN. You have two options either a IPSEC Tunnel between 2 VPN Firewalls or PPTP or SSL VPN connections on every client computer.

    Your other option is to just let the remote users perform everything on the terminal server and do away with local computing altogether, my preferred solution.

    Hope this all helps.
    Brett Smith
    One IT - Remote Desktop Specialists
    LVL 1

    Author Comment

    oneitnz,  Thanks for the reply.  concise and to the point.

    So to use port 443 do we have to use TSWeb?

    Does putting the gateway information in the RDC client force the client to use port 443 or is it still using 3389 and just bypassing logging directly in to the TS.

    The only problem with doing everything on the terminal server (for us) is that then we would have to buy new licenses for MS Office (the retail version of MS Office 2010 will not install on a TS, apparently a special version i needed, plus we have a mix of 2003 and 2010),  management denied funding for new Office for TS. I have suggested Open Office but our users are too hooked in to MS Office and our accounting dept needs Excel because of a special accounting add-on.  

    There are multiple solutions for this issue but I have to do it as low cost as possible (ie. do more with less, the story of the century).  So bells and whistles are out the door (ie. no sharepoint, document management system, etc.)
    LVL 5

    Expert Comment

    Hi PlazaProp
    Just to confirm once you have tested and confirmed that you can connect via the RD Gateway server you will no longer need to have port 3389 open on the firewall to the outside, all traffic will be proxied over port 443.

    No you don't need to use the TSWeb that is just installed along with it, I'm not sure if you could just stop the IIS Site so that people couldn't reach your TSWeb site if thats what your wondering. I believe this would probably stop it listening on port 443 and stop the gateway working altogether.

    I am curious to know if your running Exchange 2007 either on a SBS 08 box or standalone because I've just discovered this awesome little hidden gem which allows you to access file shares through OWA.

    Can't find a proper Microsoft Article on it but this guys written a decent setup guide.

    That will solve all your problems without needing a VPN.
    LVL 1

    Author Comment


    I figured that disabling TSWeb (IIS)  would stop communications over port 443 since port 443 is https.

    We are not running exchange at all.  But thanks for the link, very interesting if we decide to implement exchange.

    I get that RDP will be proxied over port 443 if using TSWEB, but is there a way to directly tell the RDP Client to use port 443 (or another port) for the TS Gateway?

    I have tried to specify the port number in the TS Gateway settings in the client but I get an error.  I am guessing that the TSGateway defaults to port 3389, no matter what.  anyone agree with that statement?
    LVL 5

    Assisted Solution

    Hi Plaza
    TS Gateway actually already defaults to port 443, here is a screenshot of the Remote Desktop Client. You need to open Options then go to the Advanced Tab and Click Settings under connect from anywhere.
    Just enter the External DNS name of the TSWeb/RD Gateway server in the box and then on the General Tab enter the Internal Computers Name.


    Remote Desktop Gateway Settings

    Featured Post

    The problems with reply email signatures

    Do you wish that you could place an email signature under a reply? Well, unfortunately, you can't. That great Exchange/Office 365 signature you've created will just appear at the bottom of an email chain. What a pain! Is there really no way to solve this? Well, there might be...

    Join & Write a Comment

    Imagine a situation that you have installed SSL ( Certificate on your Cisco ASA (Cisco Adaptive Security Appliance) firewall. Installation of SSL certificate on ASA is an another topic for which you …
    New Windows 7 Installations take days for Windows-Updates to show up and install. This can easily be fixed. I have finally decided to write an article because this seems to get asked several times a day lately. This Article and the Links apply to…
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
    This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…

    732 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    22 Experts available now in Live!

    Get 1:1 Help Now